Posted
by
CmdrTaco
on Saturday January 05, 2008 @11:14AM
from the how-about-trying-to-leak-less dept.

Cassanova writes "Weave is the newest Mozilla Labs project. It allows the user to save browser settings on Mozilla servers (Favorites, sessions, passwords, etc.) and load them from anywhere. With this project, Mozilla is trying to be an online services provider, which is an important step. But can Mozilla labs get over the privacy issues?"

anyone can get over the privacy issues, Mozilla just needs to encrypt the user's settings with a strong key and store the encrypted data to the server. Only the user can decrypt it (assuming he remembers his passphrase) and you're done.

If you make this a non-optional feature then it can be touted as a big privacy win and people will surely be happier wit it. If you allow the passphrase to be stored locally then ease of use is solved too (obviously you'd still need to enter it if you used a browser not on your home PC, but that's ok).

I've always hoped that Google would make this an option with gmail. Encrypt all data stored on their servers, add encryption on sending, and they'd have a wonder application. Not that Google (owner of Doubleclick) makes any money from user privacy, of course.

It wouldn't matter. At some point, email is transmitted in the clear. Either you trust Google or you don't. If you don't trust Google, they're receiving all your mail in the clear, so they're already capable of violating your "privacy". If you do trust them and still want your data encrypted, you're not getting much benefit -- the data still goes to recipients in the clear, and they can still receive copies.You're probably better off with thunderbird or evolution or something and gmail IMAP, where you can s

If you do trust them and still want your data encrypted, you're not getting much benefit

If the mailboxes are stored in the encrypted form and Google does not store the content in the plain-text somewhere else (for their "unobtrusive context-sensitive advertisements"), nobody — not even with a government-issued subpoena — can read the mails, until the owner logs in and reads it themselves...

There's a way! I just sent out the patent, I'm calling it "compiling". See you "compile" the "source code" then you can check to see using a program that I will write called "diff"(like difference) to see if the files differ. If they do then its not the same! Wow I'm gonna be rich!

There's a way! I just sent out the patent, I'm calling it "compiling". See you "compile" the "source code" then you can check to see using a program that I will write called "diff"(like difference) to see if the files differ. If they do then its not the same! Wow I'm gonna be rich!

And somehow you're gonna access google's servers and diff with their binaries?

any sort of server side vulnerability means your passwords and destinations can be acquired by law enforcement with a court order (you cannot otherwise be compelled to give them). However, the fact that they are saying _all_ client data gets encrypted is important, because it means they cant issue subpoenas to other sites based on link information stored on the server.not that i'm paranoid, but that information request could become a trivial law enforcement action in the near future...and we already have e

We kept the server intentionally dumb and standards-based, so that anyone can set up a server for themselves and/or their friends or company.

This is actually really great idea for backup purposes. It would have to take data archival problems into account but I'd love to see more programs do this in a standard way. It could help out a lot with simplifying the backup process for people who don't really have the ability to do a comprehensive full drive backup.

Security-wise, although I can see that many people would like any stored data encrypted so the service provider can't make use of it, that'd mean the user's computer would need to encrypt/decrypt it client-side. If you want to be able to access information from a bog-standard HTML interface (which I believe Opera Link allows), the service provider needs to be able to decrypt your information server-sid

anyone can get over the privacy issues, Mozilla just needs to encrypt the user's settings with a strong key and store the encrypted data to the server. Only the user can decrypt it (assuming he remembers his passphrase) and you're done.

Clearly you are not up to date on the tinfoil. What happens if they store that data till quantum computers come out?! They'll just break the encryption and years later they'll know about all your goatse links.

I understand that all this online frenzy hit all major players in the IT field, but I still think that the Internet as it is now is not ready for this, and, in parallel, a lot of people don't feel ready for this.
By the way, good luck to Mozilla; it is always good to have more than one player.

I think anything that can make a computer workstation as generic as a television is a good idea; the challenge lies in handling the user data/settings. If everything was online and online again, you would not need X-on-a-stick but only to log in to your online profile from any workstation.Hm, imagine that. Having a workstation that from the ground up is equipped to handle roaming users, even across the internet. There would be issues with compatibility and installed software, but assuming the basics (OS log

Well, you can pry my self-contained, customised ultraportable laptop from my dead, cold hands. And only then. I have yet to see a web-based application that is as fast and convenient to use as a native program and doesn't get in the way due to being a slightly overpowered web page. And I have yet to see two (let alone any more) separate web applications that have a consistent look&feel, which is a critical feature of any *work*station, that is, a computer used for doing some kind of *work*, not wasting

Unix was there for the local network 15 years ago. You would walk up to any terminal and could log in with all your settings, preferences intact.It worked over the Internet too, but the general internet had way to much lag for X applications to run that way. It would be possible now if it weren't for MSFT and thier silly dog Apple. MSFT has done one good thing though, they brought down the cost of the hardware so everyone can afford some. Now if only they would bring down the cost of their OS so people

Unix was there for the local network 15 years ago. You would walk up to any terminal and could log in with all your settings, preferences intact [...] but the general internet had way to much lag for X applications to run that way.

I'm not talking about running apps remotely, which is basically a thin client with or without X-the-windowing-system; when I said X-on-a-stick I meant X as in whatever-app-you-would-be-running ("the X that is seen is not the true X", and all that). Hmm, imprecise wording on my part.

What I am talking about is remote storage between sessions. While logged in your apps would run on the local workstation, only reading your profile from your remote store when logging in, and writing changes back when logging ou

I'm not talking about running apps remotely... What I am talking about is remote storage between sessions. While logged in your apps would run on the local workstation, only reading your profile from your remote store when logging in, and writing changes back when logging out.

Yes. As the GP said, unix was doing that 15 years ago, in the form of NFS-mounted home directories. (15 years is actually a rather conservative estimate, but that's beside the point.) Works great for applications running on the loca

[...]I'm not interested in entrusting my data (much less my secrets) to $RANDOM_CORPORATION, no matter how convenient that may make things. [...]

That's basically what I said in another post in this thread, "allow me to type in the credentials to *my very own* FTP server, tenjewberrymuds". Glad to know I'm not alone.

Incidentally, I had quite the head-to-head with my brother who's the "family webmaster", because he wants to change from Dreamhost to GMail, and I opposed having my data on Google's servers. Dreamhost I trust (and besides, my email must arrive *somewhere*); Google I don't.

In order to get the same functionality as any linux distro, or even Leopard you have to buy Vista Ultimate. You pay a premium for it. Even OEM installed versions go for $130 bucks a piece. Not everyone can legally use the OEM versions so in order to be legal, you have to pay street price.

Hm, imagine that. Having a workstation that from the ground up is equipped to handle roaming users, even across the internet. There would be issues with compatibility and installed software, but assuming the basics (OS login, browser bookmarks, yadda yadda) it would be a fair step towards ubiquitous computing. Ah, the future... are we there yet? Are we there yet? Are we there yet?...

Well, I've run across two [gopc.net] services [zonbu.com] like that recently.GOPC, while closer to 'save once, read anywhere' is ridiculously limite

Thunderbird sync would be great not just for contacts, but also for the newsreader. I'm sick of having to look over all the same usenet articles again to figure out what I've read and what I haven't when I go from home to work and back.

Frankly, I see absolutely no reason why someone can't whip up an extension storing and syncing the TB address book from several TB installations in a common WebDav-enabled webserver or other kind of fileserver. It's bloody trivial, all it takes is uploading/downloading a CSV file and diffing and merging it on the fly. In fact, I wouldn't be surprised to learn it's already been done.FoxMarks does this for the bookmarks in Firefox and I've been using it to keep the bookmarks in sync between my work installati

Why? What would you rather see - "she" written throughout the article? How would that be any better? "It"? "He/she" or "s/he" everywhere? Cumbersome and ugly. "They"? Grammatically incorrect, despite being used everywhere. "One" just sounds weird and formal (and the article isn't written in German).

An arbitrary choice was made. Pick "he" sometimes and "she" at other times, if it bothers you that much. More importantly, stop making big issues out of nonexistent ones - you understood the article, didn't yo

Personally I prefer Spivak pronouns. However, I still agree with the gist of the GP - using 'he' to refer a person of unknown gender is an acceptable use of the word in English. Making an issue out of it is petty and confers some of that pettiness by association to any other ideals you might put under the same banner.

If they'd used yo instead of he, I wouldn't have understood what it meant. I would probably assume it was a typo for you or some slang meaning your (which would make even less sense in the context. Yo might be the word we've been looking for the last 200 years, but I doubt it and I certainly hadn't heard it used that way.

Singular "their" etc., was an accepted part of the English language before the 18th-century grammarians started making arbitrary judgements as to what is "good English" and "bad English", based on a kind of pseudo-"logic" deduced from the Latin language, that has nothing whatever to do with English. (See the 1975 journal article by Anne Bodine in the bibliography.) And even after the old-line grammarians put it under their ban, this anathematized singular "their" construction never stopped being used by English-speakers, both orally and by serious literary writers. So it's time for anyone who still thinks that singular "their" is so-called "bad grammar" to get rid of their prejudices and pedantry!

Our modern confusion stems from eighteenth-century grammarians who analysed English according to the structures of Latin and imposed stringent and irrelevant rules (such as the one about not splitting infinitives) that have bedevilled everybody since. In this case, they proposed that he should instead be the standard in cases in which the sex of the person referred to isn't known.

So, do you choose to reject the dogma of those grammarians who tried to impose Latin rules upon English which claims that singular "they" is incorrect or embrace the teachings of those same grammarians which state that "he" is the appropriate gender-inspecific pronoun? If you choose to reject the latter rule by considering the use of "he" to be horribly sexist, then you can just as easily reject the former a

You need to learn Finnish, which has only one word for "(s)he". The finns I know all speak weird English as a consequence, but that's another matter:Finn: She's looking for you.Me: Who is?Finn: Klinger is.Me: O_o I thought Klinger was a... nevermind.

Also, in Sweden, if you ask somebody the time, (s)he'll say "She's 11:37."

I had to read the article 3 times to even notice the apparent sexism and I'm always very careful about what I write so as to not offend your type.

I always read everything carefully, but I don't bother trying to avoid offending someone with a hypersensitivity to non-issues. Political-correctness is a waste of time and energy that provides little practical benefit.

I've been sensitized to the issue of builtin gender bias for a few years. English, like many other modern European languages, has an inherent gender bias that I don't like. I don't like it, because I think in English, and I'm quite aware that this bias can limit my ability to frame certain ideas. I don't like to have any constraints on my reasoning abilities, and I certainly don't like these kinds of hidden constraints that operate on my thinking at such a low level that I grew up unaware of their influence

I think it depends on personal preference. If it was opt-in and encrypted on your end before it was stored on Mozilla servers then they send you the (encrypted) data on local load of Firefox then you enter your secret password/phrase (or have it come out of the wallet or equivalent) to decrypt it, again, locally then there wouldn't be *any* privacy issues. And if you chose to use it it would definately come in handy for those instances where the OS unexpectedly borks itself on you and you have to reinstall. Then install firefox, enter your access code and at least that part it back to pre-bork settings.

I wouldn't use this. After all, the bookmarks I have at home are different from the ones I have at work.:)
I can't envisage a time when I'd need this. Plus it's very easy to SCP my bookmarks.html from my PC at home if I need them - or a simple SSH and grep to find the precise one I want. A solution in search of a problem?

No, just a solution that doesn't fit what you are looking for. Me? I use Foxmarks to keep my bookmarks synced between my multiple machines. Having sessions/passwords etc sync would be great, once I could get over the privacy issues.

Having sessions/passwords etc sync would be great, once I could get over the privacy issues.

Maybe they should do what Foxmark does: allow you to use your own server as the back end, instead of their own. Since all the support that's needed is a standard protocol (FTP or WebDav) I'm able to use my own home server without a hitch. End of privacy issues.

If you haven't looked at Firefox 3 beta, there are some crazy new bookmark features, including "smart" bookmarks generated from frequently-visited sites and such. There's also bookmark tagging. This must fit in very nicely with the "weave" strategy.

There are a lot of new features in Firefox 3. But there has also been a serious neglect of the maintenance aspect of software development.I know maintenance is not as glorious as adding new features, but it's still very important with each new release to fix the problems that were found with previous versions (or at least verify that such problems no longer exist).

While some small number of people might like these new bookmarking capabilities, I think they should have spent more time on fixing some of the i

They have been spending lots of time fixing those issues. Are there any specific bug reports you think should be addressed? Any particular site or feature you're having a problem with?

If you cannot or will not track down the problems you're complaining about, and they persist even after creating a new profile and trying other fixes in the MozillaZine Knowledge Base [mozillazine.org] and asking for help in the MozillaZine Forums [mozillazine.org], you should simply switch to another browser. Why put up with serious problems when there are so

The advice to create a new profile also has nothing to do with memory leaks in Mozilla software. If you're experiencing bugs in Mozilla software, you'll still see them with a new profile. If creating a new profile fixes a problem, it was due to a bad extension or other bad setting. In some rare situations, it may be possible that a perfectly reasonable setting triggers a bug in Firefo

One issue is that Firefox does have some bugs. Those are fixed by Mozilla developers fixing the bugs. That does not require the user to do anything. No one is asking for end users to debug those problems. If you can point out any issue you think is not getting the attention it deserves, please point it out. You can refer to a bug report in Bugzilla, or explain how one could see the issue.

The other issue is that users' computers get messed up for whatever reason.

a way to save bookmarks, etc on *MY* server. (By "My server", I mean my personally owned and operated FreeBSD box I have colo'ed', not what the average moron might mean where they confuse 'server' with 'service provider' and use 'my server' to refer to their ISP)

So privacy and security concerns go away (or at least, would be under my control rather than someone else's), but all the same functionality is there.

[I'd like to see] a way to save bookmarks, etc on *MY* server. (By "My server", I mean my personally owned and operated FreeBSD box I have colo'ed', not what the average moron might mean where they confuse 'server' with 'service provider' and use 'my server' to refer to their ISP)

From TFA:

We kept the server intentionally dumb and standards-based, so that anyone can set up a server for themselves and/or their friends or company.

I hate to want to reply to own post, but just in case you think TFA is just some goof with a Blogspot blog, the original quote is from Mozilla Labs [mozilla.com], specifically from Dan Mills [sandmill.org], a FireFox dev and former Novell engineer - definately not the average moron [sandmill.org].

IIRC this is called social bookmarking and we've already got plenty of implementations, thanks very much. seems to me like a lame-ish pitch for some Web2.0 pie. if someone wanted to write an extension that said "auto-save my bookmarks to del.ico.us" then fine. but do we need moz to do that?

If you don't want to use it, don't download the extension. To use it, you have to:

- Go to a site
- Create an account
- Download an extension (on every single computer you use)
- Put in your username and password (again)
- Put in a private encryption passphrase
- Manually click the 'Sync' button.

Only then will it start automatically updating your bookmarks. If you have privacy issues about uploading your bookmarks to Mozilla's servers, then you can quite easily back out at any of these points, or not bother at all. If the fear is that they will share your bookmarks, then simply don't give them any to share. This is not a feature that is on by default, and the blog linked to even specifies that, if you're that paranoid about giving them your data, there will be a way to set up your own Weave server, so no-one but you will be able to know you visit PissMidgets.com

From the debugging logs, it seems like the information is just stored on a server via HTTPS+WebDAV. So if you control a web site (and you trust it more than you trust Mozilla), just change the Server Location (in Advanced Settings) from "https://services.mozilla.com/" to your own server. You will have to create a directory underneath that is the sha1sum of your account name, and it is up to you to set the permissions on the directory properly so that no one else can access it.
Of course, this is all just an educated guess, but...
"The rest is left as an exercise to the reader.":)

Great to have another choice of vendor to store my browser profile at. I've been asking Mozilla for a roaming feature for years. I've seen the plugins that do this, but they host my data either at a company that's unknown to me, or that I don't trust.I have suggested the option of entering login info for an FTP server that you own (or have access to), so you don't have to rely on someone else, but it's no surprise that it's not going to happen unless Mozilla themselves go after it (or I write it myself, exc

I use this thing both at home and at work, and everything's encrypted with a passphrase (separate from the Google Account Password) that's not transmitted to Google, so they aren't able to decrypt the data without using brute force.I once had a funny experience with this thing - one weekend my boss logged in from my (google-synchronized) computer to check his email - well, his Gmail cookie synchronized to my home PC and I was able to read his mail. He hacked his own mailbox and I didn't even need to do anyt

I found the Browser Sync to be good for Firefox installs on new computers around the house. Besides that I didn't want it to actively update my bookmarks, I wanted to just copy the essentials over.But on the note of encryption... Yeah, Google could never have the computing power to break that encryption! I'm betting they are few years off from running their own distributed cracking program that can break pretty strongly encrypted stuff (all in house). Imagine if they used the browser sync install base (or b

Please, Mozilla people... document and publish the protocol! We would like to be able to save our bookmarks/passwords/sessions on our own servers, not yours (or Google's). We would like to have our browsers talking to back end systems that can do something useful with that data. Please make this useful!

Why has this been tagged "kissramgoodby"?
Presumably regardless of which model for storing favorites/passwords/sessions, when the browser is actually opened it goes in the RAM anyway? I don't see the meaning of that...

This is really useful. At the moment there is the Foxmarks plugin for bookmarks, which is excellent, but it would be nice to have a sync for Firefox / Thunderbird / Sunbird with all my preferences. I could reformat a machine and be mostly operational within seconds (especially if I took the time to create my own custom Ubuntu [aperantis.com]). Then I would just need to import my Pidgin preferences.

Other than passwords, there aren't any privacy issues for me. If someone hacks my account and discovers my bookmarks or which c

They could let you store it on their server, but allow you to encrypt the data with your own PGP key. You would have both the public and private keys for your data and only you would be able to access them.

Or they could let you choose which server you want to store the data on, maybe you would have your own server setup and you want to use that instead of theirs.

I can't call the language non-biased, but the bias exists in the English language itself.

That being said, the author should have followed basic writing etiquette and replaced the pronouns with him/her, he/she, etc... or, get rid of the gender-biased pronouns altogether and restructured the sentences to use words like "oneself".

PC police, coming in!
In Spanish, every word has a masculine and feminine form. When there is a mix of males and females, the masculine form is used. When it's ambiguous, the masculine form is used.
Replacing pronouns with he/she, him/her, etc is simply redundant. You're not accomplishing anything with it other than pacifying some overzealous feminazis.